FOCUS MODE
EXTRACT IOC
MINDMAP
Threat Research

Youve Got Malware: FINALDRAFT Hides in Your Drafts — Elastic Security Labs

iocOne
Youve Got Malware: FINALDRAFT Hides in Your Drafts — Elastic Security Labs
This article discusses the discovery of a new family of malware known as FINALDRAFT, which operates via Outlook using the Microsoft Graph API. The malware comprises advanced post-exploitation tools, indicating potential espionage activity. Key components include the PATHLOADER loader and multiple submodules that enhance operational capabilities. A Linux variant of the malware has also been identified, showcasing additional functionality yet to be fully developed. Affected: malware, cybersecurity, communication channels

Keypoints :

  • Discovery of a new malware family (FINALDRAFT) by Elastic Security Labs.
  • FINALDRAFT uses Outlook and the Microsoft Graph API for communication.
  • Includes various modules for post-exploitation activities and data exfiltration.
  • Observation of both Windows PE and ELF variants of the malware.
  • Evidence suggests that this is part of an espionage-oriented campaign.
  • Configuration settings contain typosquatted domains resembling well-known vendors.
  • The malware has advanced techniques for API hashing and string obfuscation.
  • Commands include process injection, file manipulation, and data forwarding capabilities.
  • Detection mechanisms are in place for various malware behaviors.
  • Elastic Security has established YARA rules for detection related to this malware.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: Utilizes the Microsoft Graph API for command and control communications.
  • T1041 – Exfiltration over Command and Control Channel: Data exfiltration via the Outlook email drafts created as command responses.
  • T1016 – System Network Configuration Discovery: Gathers network information including IP addresses and connected devices.
  • T1059.001 – Command and Scripting Interpreter: Executes shell commands via created processes.
  • T1505.003 – Server Software Component: Implements various modules and commands that inject processes and handle file manipulations.

Indicator of Compromise :

  • [Domain] poster.checkponit.com
  • [Domain] support.fortineat.com
  • [Domain] support.vmphere.com
  • [Domain] update.hobiter.com
  • [SHA256] 9a11d6fcf76583f7f70ff55297fb550fed774b61f35ee2edd95cf6f959853bcf
  • [SHA256] 39e85de1b1121dc38a33eca97c41dbd9210124162c6d669d28480c833e059530
  • [SHA256] 83406905710e52f6af35b4b3c27549a12c28a628c492429d3a411fdb2d28cc8c

Full Story: https://www.elastic.co/security-labs/finaldraft

Views: 36

Tags: CREDENTIAL, WINDOWS, PROXY, LINUX, PAYLOAD, FIREWALL, DNS, TOOL
en en